rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

Original Message:
Sent: 3/22/2022 3:11:00 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

Give up and buy Aspera. Nothing in the world is worth the pain of trying to install rsync on AIX.

------------------------------
Henrik Morsing
------------------------------

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

Original Message:
Sent: 3/23/2022 6:29:00 AM
From: Henrik Morsing
Subject: RE: Rsync installing the AIX 6100-09-04-1441

Give up and buy Aspera. Nothing in the world is worth the pain of trying to install rsync on AIX.

------------------------------
Henrik Morsing
------------------------------

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

Using yum (on AIX 7.1/2/3) makes the installation easy. No pain at all.

# yum install rsync
Loaded plugins: downloadonly
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package rsync.ppc 0:3.2.3-1 will be installed
--> Processing Dependency: lz4 >= 1.9.2 for package: rsync-3.2.3-1.ppc
--> Processing Dependency: liblz4.a(liblz4.so.1) for package: rsync-3.2.3-1.ppc
--> Running transaction check
---> Package lz4.ppc 0:1.9.2-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================================================
Installing:
rsync ppc 3.2.3-1 AIX_Toolbox 870 k
Installing for dependencies:
lz4 ppc 1.9.2-1 AIX_Toolbox 420 k

Transaction Summary
==============================================================================================================================================================================================================
Install 2 Packages

Total download size: 1.3 M
Installed size: 1.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): lz4-1.9.2-1.aix6.1.ppc.rpm | 420 kB 00:00:01
(2/2): rsync-3.2.3-1.aix6.1.ppc.rpm | 870 kB 00:00:00
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 420 kB/s | 1.3 MB 00:03
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : lz4-1.9.2-1.ppc 1/2
Installing : rsync-3.2.3-1.ppc 2/2

Installed:
rsync.ppc 0:3.2.3-1

Dependency Installed:
lz4.ppc 0:1.9.2-1

Complete!

------------------------------
CHRIS GIBSON
------------------------------

Original Message:
Sent: Wed March 23, 2022 06:29 AM
From: Henrik Morsing
Subject: Rsync installing the AIX 6100-09-04-1441

Give up and buy Aspera. Nothing in the world is worth the pain of trying to install rsync on AIX.

------------------------------
Henrik Morsing

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

Hi Chris,

I can't think of one of the fifteen companies I have worked for where AIX systems had Internet access.

Buy Aspera, only way around it.

Regards,
Henrik Morsing

------------------------------
Henrik Morsing
------------------------------

Original Message:
Sent: Thu March 24, 2022 07:11 PM
From: CHRIS GIBSON
Subject: Rsync installing the AIX 6100-09-04-1441

Using yum (on AIX 7.1/2/3) makes the installation easy. No pain at all.

# yum install rsync
Loaded plugins: downloadonly
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package rsync.ppc 0:3.2.3-1 will be installed
--> Processing Dependency: lz4 >= 1.9.2 for package: rsync-3.2.3-1.ppc
--> Processing Dependency: liblz4.a(liblz4.so.1) for package: rsync-3.2.3-1.ppc
--> Running transaction check
---> Package lz4.ppc 0:1.9.2-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================================================
Installing:
rsync ppc 3.2.3-1 AIX_Toolbox 870 k
Installing for dependencies:
lz4 ppc 1.9.2-1 AIX_Toolbox 420 k

Transaction Summary
==============================================================================================================================================================================================================
Install 2 Packages

Total download size: 1.3 M
Installed size: 1.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): lz4-1.9.2-1.aix6.1.ppc.rpm | 420 kB 00:00:01
(2/2): rsync-3.2.3-1.aix6.1.ppc.rpm | 870 kB 00:00:00
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 420 kB/s | 1.3 MB 00:03
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : lz4-1.9.2-1.ppc 1/2
Installing : rsync-3.2.3-1.ppc 2/2

Installed:
rsync.ppc 0:3.2.3-1

Dependency Installed:
lz4.ppc 0:1.9.2-1

Complete!

------------------------------
CHRIS GIBSON

Original Message:
Sent: Wed March 23, 2022 06:29 AM
From: Henrik Morsing
Subject: Rsync installing the AIX 6100-09-04-1441

Give up and buy Aspera. Nothing in the world is worth the pain of trying to install rsync on AIX.

------------------------------
Henrik Morsing

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

Create a local yum repo and enjoy! All of my customers are doing this now.

------------------------------
CHRIS GIBSON
------------------------------

Original Message:
Sent: Fri March 25, 2022 05:34 AM
From: Henrik Morsing
Subject: Rsync installing the AIX 6100-09-04-1441

Hi Chris,

I can't think of one of the fifteen companies I have worked for where AIX systems had Internet access.

Buy Aspera, only way around it.

Regards,
Henrik Morsing

------------------------------
Henrik Morsing

Original Message:
Sent: Thu March 24, 2022 07:11 PM
From: CHRIS GIBSON
Subject: Rsync installing the AIX 6100-09-04-1441

Using yum (on AIX 7.1/2/3) makes the installation easy. No pain at all.

# yum install rsync
Loaded plugins: downloadonly
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package rsync.ppc 0:3.2.3-1 will be installed
--> Processing Dependency: lz4 >= 1.9.2 for package: rsync-3.2.3-1.ppc
--> Processing Dependency: liblz4.a(liblz4.so.1) for package: rsync-3.2.3-1.ppc
--> Running transaction check
---> Package lz4.ppc 0:1.9.2-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================================================
Installing:
rsync ppc 3.2.3-1 AIX_Toolbox 870 k
Installing for dependencies:
lz4 ppc 1.9.2-1 AIX_Toolbox 420 k

Transaction Summary
==============================================================================================================================================================================================================
Install 2 Packages

Total download size: 1.3 M
Installed size: 1.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): lz4-1.9.2-1.aix6.1.ppc.rpm | 420 kB 00:00:01
(2/2): rsync-3.2.3-1.aix6.1.ppc.rpm | 870 kB 00:00:00
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 420 kB/s | 1.3 MB 00:03
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : lz4-1.9.2-1.ppc 1/2
Installing : rsync-3.2.3-1.ppc 2/2

Installed:
rsync.ppc 0:3.2.3-1

Dependency Installed:
lz4.ppc 0:1.9.2-1

Complete!

------------------------------
CHRIS GIBSON

Original Message:
Sent: Wed March 23, 2022 06:29 AM
From: Henrik Morsing
Subject: Rsync installing the AIX 6100-09-04-1441

Give up and buy Aspera. Nothing in the world is worth the pain of trying to install rsync on AIX.

------------------------------
Henrik Morsing

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

Suspect you have old openssl version that's not compatible.  Also rsync has prereq of popt and they are both very version dependent.

Up until AIX 7.2 TL3 used to be able to install latest from AIX Linux affinity toolbox.  Had major issues when AIX 7.2 TL3 came out where I had to install specific version in specific order;

Install newer openssl, then matching openssh    (note, I had issue installing very latest, had to go back to like 1.0.2t)
https://www.ibm.com/support/pages/downloading-and-installing-or-upgrading-openssl-and-openssh?mhsrc=ibmsearch_a&mhq=openssl

Install order/versions that work for me on AIX 7.2 TL3-TL5:
gettext-0.19.7-1.ppc
popt-1.16-3.ppc
rsync-3.1.3-2.ppc

output of rpm-qa command:
# rpm -qa
tcl-8.4.7-3.ppc
expect-5.42.1-3.ppc
gettext-0.19.7-1.ppc
popt-1.16-3.ppc
rsync-3.1.3-2.ppc
tk-8.4.7-3.ppc
AIX-rpm-7.2.4.0-4.ppc

I can't speak for AIX 6.1 TL9 with latest packages and suspect it's nearly impossible to locate these compiled versions for AIX.  I'm AIX opensource novice so I'm sure others here can be helpful.  I typically use smit install with "preview" to see pass/fail of given package before applying to avoid making a mess of the server.

Hope this helps, suspect your issue lies with openssl.

------------------------------
Ron Arms
------------------------------

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

All the open source dependencies are available on AIX toolbox https://www.ibm.com/support/pages/node/883798
As mentioned by other either you have older version of openssl or it is not added into the AIX-rpm virtual package.
If you have latest version of openssl and still you are seeing "ibcrypto.a(libcrypto.so.1.0.2) is needed" issue then please run 'updtvpkg' command.
Other dependencies you can get from AIX toolbox. 
We recommend to use dnf to install packages from AIX toolbox. 

For future if you have questions/issues related to AIX open source packages better use AIX open source discussion forum https://ibm.biz/aixoss_forum

------------------------------
SANKET RATHI
------------------------------

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

I prefer using aixtools.net.  The maintainer builds the packages into instalp format(thus shows up in lslpp output), AND, packages the dependancies as static modules.  Thus saving you from the dependency hell you're starting to slide into.

www.aixtools.net/index.php/rsync

he's also been fairly active on rootvg.net to discuss his packaging.

------------------------------
Tom McGivern
------------------------------

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

Both the approaches have their pros and cons.
If everything is built statically then you don't know what all dependencies are there and if there is any security vulnerabilities in any of the dependency.
Also if there is an issue in one of the dependency then whole package has to be rebuilt.
The dynamic libraries and dependency is more universal solution and transparent. It is the method followed on other platform hence it is more compatible. 
Once you have setup dnf/yum then it is very easy to install any package from AIX toolbox or your local yum repo. 
It is similar to any rpm based Linux distro.

------------------------------
SANKET RATHI
------------------------------

Original Message:
Sent: Thu March 24, 2022 12:35 PM
From: Tom McGivern
Subject: Rsync installing the AIX 6100-09-04-1441

I prefer using aixtools.net.  The maintainer builds the packages into instalp format(thus shows up in lslpp output), AND, packages the dependancies as static modules.  Thus saving you from the dependency hell you're starting to slide into.

www.aixtools.net/index.php/rsync

he's also been fairly active on rootvg.net to discuss his packaging.

------------------------------
Tom McGivern

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

I'm afraid I have to respond, but please don't interpet my criticism
for hostility. I feel I have to debunk some points.

On Thu, Mar 24, 2022 at 05:18:31PM +0000, SANKET RATHI via IBM Community wrote:
> Both the approaches have their pros and cons.

I assume you mean to compare distributing statically compiled
binaries, versus dynamically compiled binaries.

> If everything is built statically then you don't know what all
> dependencies are there and if there is any security vulnerabilities
> in any of the dependency. Also if there is an issue in one of the
> dependency then whole package has to be rebuilt.

That's true that static images may include older libraries. I think
that just demonstrates that dependencies should be minimized and
documented for transparency and security.

There is a major problem with dependency spam in packaging on other
platforms (ie: Linux), which is bleeding into AIX packages.

Distributing programs with dynamic dependencies that makes mandatory
use of a second parallel package manager in order to resolve those
dependencies is really only reducing the workload on the
**packager**.

It doesn't address the security concerns of those increased
dependencies, or the sudden enormous growth in trivial
dependencies. It also doesn't address the concern of creating,
securing, and maintaining parallel and conflicting package management
infrastructures.

More code == more security issues.

If I install 10x more packages in my system to get all the
dependencies, I have now 10x more software to check for
vulnerabilities and keep up to date. Now amplify that across the
install base. Our maintenance time and effort far outweighs packaging
time.

When it comes to getting software from IBM, I expect they have
encapsulated all of the dependencies and minimized my work on the
distribution side. That's why we pay for IBM software.

> The dynamic libraries and dependency is more universal solution and
> transparent. It is the method followed on other platform hence it is
> more compatible.

Google invented a whole new language (Go) which among other features
makes static binaries to deploy across their platforms to minimize
dependencies. They already faced dependency hell and made dramatic
changes to prevent it.

If Windows and Linux are your benchmarks here, they are poor
examples. AIX is more secure and reliable than these platforms
precisely because we are held to higher standards.

> Once you have setup dnf/yum then it is very easy to install any
> package from AIX toolbox or your local yum repo.

If you were on Redhat Enterprise Linux, and I told you to go setup
'apt' and download the Ubuntu repositories so I could install a
package, you'd tell me that's crazy and unsupported. It's likely that
any Redhat update would break your Ubuntu packages, and vice
versa. Why is that any different here for BFF and DNF/RPM?

Production systems are typically firewalled away from the internet for
security.

We already have existing internal infrastructure deployed to manage
AIX and software in NIM. LPP sources are distribution groups of BFF
files, and they include dependency resolution. The difference is that
it's a completely offline solution, where only code from trusted
sources (ie: IBM) is installed after being verified.

> It is similar to any rpm based Linux distro.

At the POWER VUG meeting this week the number of CVEs per OS was shown
on a slide, and from memory they had something like 8000 Linux CVE vs
80 on AIX in the time, and even fewer on PowerVM and our
hardware. Since I can't reference that slide, a few minutes searching
found an aggregation site.

For some comparison, AIX isn't even in the top 50 CVE products. All
the Linux distributions are.

https://www.cvedetails.com/top-50-products.php

Redhat has plenty (4038 total):

https://www.cvedetails.com/vendor/25/Redhat.html

While AIX doesn't (286 total).

https://www.cvedetails.com/product/17/IBM-AIX.html?vendor_id=14

AIX shouldn't aspire to be Linux.

-- rant over --

On a milder note Sanket, please take my criticism for what it is:
honest criticism. I'm trying to provide feedback to help ensure that
everyone can receive the best software they can, with the properly
high standards of reliability, maintainability, and security that we
should expect from AIX and IBM. I want to make sure that any technical
decisions are well thought out at all layers.

I understand you're involved in packaging free software for AIX, and
I'm sure that's a thankless job. There's a reason why software must be
packaged, and I'm grateful that IBM assigns talented resources to take
time to try and distribute common tools from other platforms to
AIX. Sometimes they are useful, sometimes they come with
liabilities. I also understand this is a "free" service, unlike paid
software from IBM. However the results impact our paid, supported,
premium platform.

I'm trying to explain that AIX is properly different from other
operating systems. It's trusted to handle some of the largest
workloads on Earth at some very critical institutions. As a result,
the standards are high.

Thanks for your efforts.

------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/24/2022 1:18:00 PM
From: SANKET RATHI
Subject: RE: Rsync installing the AIX 6100-09-04-1441

Both the approaches have their pros and cons.
If everything is built statically then you don't know what all dependencies are there and if there is any security vulnerabilities in any of the dependency.
Also if there is an issue in one of the dependency then whole package has to be rebuilt.
The dynamic libraries and dependency is more universal solution and transparent. It is the method followed on other platform hence it is more compatible. 
Once you have setup dnf/yum then it is very easy to install any package from AIX toolbox or your local yum repo. 
It is similar to any rpm based Linux distro.

------------------------------
SANKET RATHI
------------------------------

Original Message:
Sent: Thu March 24, 2022 12:35 PM
From: Tom McGivern
Subject: Rsync installing the AIX 6100-09-04-1441

I prefer using aixtools.net.  The maintainer builds the packages into instalp format(thus shows up in lslpp output), AND, packages the dependancies as static modules.  Thus saving you from the dependency hell you're starting to slide into.

www.aixtools.net/index.php/rsync

he's also been fairly active on rootvg.net to discuss his packaging.

------------------------------
Tom McGivern

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

Thank you Russell for your honest feedback but I think there are many things we are missing here. 
We are discussing open source softwares and open source eco system is designed in such a way that it has dependency on other open source software.
Regarding minimizing dependencies so this is again very thin line over the years AIX customers have asked to enable newer functionalities on open source software this causes newer dependencies. 
If we keep static linking then this will be more work for the customers, think a scenario where 10-20 packages dependent on a library if this library has 
security vulnerability then all these 10-20 packages has to be reinstalled and reconfigured.
This is far more work hence operating systems are designed in modular way to reduce such work. 
I understand some of the people would have faced issues those are not familiar with RPM and dnf/yum but once they will get some experience it is pretty easy. 
We always wanted these open source software to not interfere with base AIX hence they are provided in separate location with its own eco system. 
There are always some scope of improvements and we welcome inputs from our partners/customers.

------------------------------
SANKET RATHI
------------------------------

Original Message:
Sent: Thu March 24, 2022 02:23 PM
From: Russell Adams
Subject: Rsync installing the AIX 6100-09-04-1441

I'm afraid I have to respond, but please don't interpet my criticism
for hostility. I feel I have to debunk some points.

On Thu, Mar 24, 2022 at 05:18:31PM +0000, SANKET RATHI via IBM Community wrote:
> Both the approaches have their pros and cons.

I assume you mean to compare distributing statically compiled
binaries, versus dynamically compiled binaries.

> If everything is built statically then you don't know what all
> dependencies are there and if there is any security vulnerabilities
> in any of the dependency. Also if there is an issue in one of the
> dependency then whole package has to be rebuilt.

That's true that static images may include older libraries. I think
that just demonstrates that dependencies should be minimized and
documented for transparency and security.

There is a major problem with dependency spam in packaging on other
platforms (ie: Linux), which is bleeding into AIX packages.

Distributing programs with dynamic dependencies that makes mandatory
use of a second parallel package manager in order to resolve those
dependencies is really only reducing the workload on the
**packager**.

It doesn't address the security concerns of those increased
dependencies, or the sudden enormous growth in trivial
dependencies. It also doesn't address the concern of creating,
securing, and maintaining parallel and conflicting package management
infrastructures.

More code == more security issues.

If I install 10x more packages in my system to get all the
dependencies, I have now 10x more software to check for
vulnerabilities and keep up to date. Now amplify that across the
install base. Our maintenance time and effort far outweighs packaging
time.

When it comes to getting software from IBM, I expect they have
encapsulated all of the dependencies and minimized my work on the
distribution side. That's why we pay for IBM software.

> The dynamic libraries and dependency is more universal solution and
> transparent. It is the method followed on other platform hence it is
> more compatible.

Google invented a whole new language (Go) which among other features
makes static binaries to deploy across their platforms to minimize
dependencies. They already faced dependency hell and made dramatic
changes to prevent it.

If Windows and Linux are your benchmarks here, they are poor
examples. AIX is more secure and reliable than these platforms
precisely because we are held to higher standards.

> Once you have setup dnf/yum then it is very easy to install any
> package from AIX toolbox or your local yum repo.

If you were on Redhat Enterprise Linux, and I told you to go setup
'apt' and download the Ubuntu repositories so I could install a
package, you'd tell me that's crazy and unsupported. It's likely that
any Redhat update would break your Ubuntu packages, and vice
versa. Why is that any different here for BFF and DNF/RPM?

Production systems are typically firewalled away from the internet for
security.

We already have existing internal infrastructure deployed to manage
AIX and software in NIM. LPP sources are distribution groups of BFF
files, and they include dependency resolution. The difference is that
it's a completely offline solution, where only code from trusted
sources (ie: IBM) is installed after being verified.

> It is similar to any rpm based Linux distro.

At the POWER VUG meeting this week the number of CVEs per OS was shown
on a slide, and from memory they had something like 8000 Linux CVE vs
80 on AIX in the time, and even fewer on PowerVM and our
hardware. Since I can't reference that slide, a few minutes searching
found an aggregation site.

For some comparison, AIX isn't even in the top 50 CVE products. All
the Linux distributions are.

https://www.cvedetails.com/top-50-products.php

Redhat has plenty (4038 total):

https://www.cvedetails.com/vendor/25/Redhat.html

While AIX doesn't (286 total).

https://www.cvedetails.com/product/17/IBM-AIX.html?vendor_id=14

AIX shouldn't aspire to be Linux.

-- rant over --

On a milder note Sanket, please take my criticism for what it is:
honest criticism. I'm trying to provide feedback to help ensure that
everyone can receive the best software they can, with the properly
high standards of reliability, maintainability, and security that we
should expect from AIX and IBM. I want to make sure that any technical
decisions are well thought out at all layers.

I understand you're involved in packaging free software for AIX, and
I'm sure that's a thankless job. There's a reason why software must be
packaged, and I'm grateful that IBM assigns talented resources to take
time to try and distribute common tools from other platforms to
AIX. Sometimes they are useful, sometimes they come with
liabilities. I also understand this is a "free" service, unlike paid
software from IBM. However the results impact our paid, supported,
premium platform.

I'm trying to explain that AIX is properly different from other
operating systems. It's trusted to handle some of the largest
workloads on Earth at some very critical institutions. As a result,
the standards are high.

Thanks for your efforts.

------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/24/2022 1:18:00 PM
From: SANKET RATHI
Subject: RE: Rsync installing the AIX 6100-09-04-1441

Both the approaches have their pros and cons.
If everything is built statically then you don't know what all dependencies are there and if there is any security vulnerabilities in any of the dependency.
Also if there is an issue in one of the dependency then whole package has to be rebuilt.
The dynamic libraries and dependency is more universal solution and transparent. It is the method followed on other platform hence it is more compatible. 
Once you have setup dnf/yum then it is very easy to install any package from AIX toolbox or your local yum repo. 
It is similar to any rpm based Linux distro.

------------------------------
SANKET RATHI

Original Message:
Sent: Thu March 24, 2022 12:35 PM
From: Tom McGivern
Subject: Rsync installing the AIX 6100-09-04-1441

I prefer using aixtools.net.  The maintainer builds the packages into instalp format(thus shows up in lslpp output), AND, packages the dependancies as static modules.  Thus saving you from the dependency hell you're starting to slide into.

www.aixtools.net/index.php/rsync

he's also been fairly active on rootvg.net to discuss his packaging.

------------------------------
Tom McGivern

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

On Fri, Mar 25, 2022 at 01:12:16PM +0000, SANKET RATHI via IBM Community wrote:
> We are discussing open source softwares and open source eco system
> is designed in such a way that it has dependency on other open
> source software.

Certainly. I speak with some experience, creating and managing
packages on AIX, Gentoo, Debian, and other Linux and BSD
distributions. There are always dependencies, but I'm discussing
packaging and deployment.

> Regarding minimizing dependencies so this is again very thin line
> over the years AIX customers have asked to enable newer
> functionalities on open source software this causes newer
> dependencies.

I think a good example of this was sudo and sudo-noldap. That was a
meaningful way to reduce dependencies.

I also need to point out that the AIX toolkit was explicitly not
supported, and I have plenty of customers where no unsupported
software are allowed on mission critical systems.

If there are popular OSS packages that IBM feels obligated to provide,
add a support fee like you do for Java Runtime and give us BFF files
we can trust that are supported by IBM.

> If we keep static linking then this will be more work for the
> customers, think a scenario where 10-20 packages dependent on a
> library if this library has security vulnerability then all these
> 10-20 packages has to be reinstalled and reconfigured.

That's not unusual at all. Software has updates for many reasons, and
any software requires maintenance.

My issue is that more software means more maintenance and a larger
attack surface, and I should install as little as possible. If a piece
of software is vulnerable, we update it. From the customer side, it
doesn't matter how many packages as long as it's as few as possible
total.

Going back to sudo, suppose I have sudo installed and OpenLDAP has a
security vulnerability. If I'm running with minimal dependencies and
didn't install the sudo which needs LDAP, I have nothing to
update. I'm not exposed.

The problem with dependencies isn't that it's wrong to have a piece of
software have a few dependencies. It's when software has an optional
dependency (ie: ldap with sudo) that the package manager forces me to
install all the optional software too, recursively for the chain of
dependencies. So sudo suddenly needs LDAP always, which needs a
library for international encodings, lz4 compression, and ... etc, etc,
etc... One package becomes 18 packages.

Poul-Henning Kamp made an excellent write up of issues like this in
his article "A Generation Lost in the Bazaar":
https://queue.acm.org/detail.cfm?id=2349257

I get that more features can mean more dependencies. My argument is
that we're on critical systems that are more sensitive to attack
surface and total software. Give me options to minimize how much I
install. It was a valid strategy to provide sudo and sudo-noldap.

> This is far more work hence operating systems are designed in
> modular way to reduce such work.

I reiterate: it's more work for the package maintainer, not the
customer. Yes that means I'm asking you to do more work. I'm also
trying to explain why it's a correct technical decision. I also
suggested IBM provide supported BFF's for a support fee.

> I understand some of the people would have faced issues those are
> not familiar with RPM and dnf/yum but once they will get some
> experience it is pretty easy.

Given the seniority of most AIX resources, I don't believe a lack of
familiarity with RPM or DNF is really a concern. Most AIX
administrators I work with think Linux is easy.

You're asking us to setup a second, parallel, potentially conflicting
package manager on our systems. A networked package manager that is
installing far more software than it needs, from sources unknown, from
a software ecosystem much more vulnerable to supply chain attacks than
IBM's software, and with a high frequency of vulnerabilities which
need fixing.

What next, antivirus on AIX?

> We always wanted these open source software to not interfere with
> base AIX hence they are provided in separate location with its own
> eco system.

Yet we have openssl issues recently? This is a conflict between the
RPMs and AIX native BFFs.

> There are always some scope of improvements and we welcome inputs
> from our partners/customers.

I still appreciate your efforts packaging these software tools, and
I'm glad you took the time to have a discussion.

------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/25/2022 9:12:00 AM
From: SANKET RATHI
Subject: RE: Rsync installing the AIX 6100-09-04-1441

Thank you Russell for your honest feedback but I think there are many things we are missing here. 
We are discussing open source softwares and open source eco system is designed in such a way that it has dependency on other open source software.
Regarding minimizing dependencies so this is again very thin line over the years AIX customers have asked to enable newer functionalities on open source software this causes newer dependencies. 
If we keep static linking then this will be more work for the customers, think a scenario where 10-20 packages dependent on a library if this library has 
security vulnerability then all these 10-20 packages has to be reinstalled and reconfigured.
This is far more work hence operating systems are designed in modular way to reduce such work. 
I understand some of the people would have faced issues those are not familiar with RPM and dnf/yum but once they will get some experience it is pretty easy. 
We always wanted these open source software to not interfere with base AIX hence they are provided in separate location with its own eco system. 
There are always some scope of improvements and we welcome inputs from our partners/customers.

------------------------------
SANKET RATHI
------------------------------

Original Message:
Sent: Thu March 24, 2022 02:23 PM
From: Russell Adams
Subject: Rsync installing the AIX 6100-09-04-1441

I'm afraid I have to respond, but please don't interpet my criticism
for hostility. I feel I have to debunk some points.

On Thu, Mar 24, 2022 at 05:18:31PM +0000, SANKET RATHI via IBM Community wrote:
> Both the approaches have their pros and cons.

I assume you mean to compare distributing statically compiled
binaries, versus dynamically compiled binaries.

> If everything is built statically then you don't know what all
> dependencies are there and if there is any security vulnerabilities
> in any of the dependency. Also if there is an issue in one of the
> dependency then whole package has to be rebuilt.

That's true that static images may include older libraries. I think
that just demonstrates that dependencies should be minimized and
documented for transparency and security.

There is a major problem with dependency spam in packaging on other
platforms (ie: Linux), which is bleeding into AIX packages.

Distributing programs with dynamic dependencies that makes mandatory
use of a second parallel package manager in order to resolve those
dependencies is really only reducing the workload on the
**packager**.

It doesn't address the security concerns of those increased
dependencies, or the sudden enormous growth in trivial
dependencies. It also doesn't address the concern of creating,
securing, and maintaining parallel and conflicting package management
infrastructures.

More code == more security issues.

If I install 10x more packages in my system to get all the
dependencies, I have now 10x more software to check for
vulnerabilities and keep up to date. Now amplify that across the
install base. Our maintenance time and effort far outweighs packaging
time.

When it comes to getting software from IBM, I expect they have
encapsulated all of the dependencies and minimized my work on the
distribution side. That's why we pay for IBM software.

> The dynamic libraries and dependency is more universal solution and
> transparent. It is the method followed on other platform hence it is
> more compatible.

Google invented a whole new language (Go) which among other features
makes static binaries to deploy across their platforms to minimize
dependencies. They already faced dependency hell and made dramatic
changes to prevent it.

If Windows and Linux are your benchmarks here, they are poor
examples. AIX is more secure and reliable than these platforms
precisely because we are held to higher standards.

> Once you have setup dnf/yum then it is very easy to install any
> package from AIX toolbox or your local yum repo.

If you were on Redhat Enterprise Linux, and I told you to go setup
'apt' and download the Ubuntu repositories so I could install a
package, you'd tell me that's crazy and unsupported. It's likely that
any Redhat update would break your Ubuntu packages, and vice
versa. Why is that any different here for BFF and DNF/RPM?

Production systems are typically firewalled away from the internet for
security.

We already have existing internal infrastructure deployed to manage
AIX and software in NIM. LPP sources are distribution groups of BFF
files, and they include dependency resolution. The difference is that
it's a completely offline solution, where only code from trusted
sources (ie: IBM) is installed after being verified.

> It is similar to any rpm based Linux distro.

At the POWER VUG meeting this week the number of CVEs per OS was shown
on a slide, and from memory they had something like 8000 Linux CVE vs
80 on AIX in the time, and even fewer on PowerVM and our
hardware. Since I can't reference that slide, a few minutes searching
found an aggregation site.

For some comparison, AIX isn't even in the top 50 CVE products. All
the Linux distributions are.

https://www.cvedetails.com/top-50-products.php

Redhat has plenty (4038 total):

https://www.cvedetails.com/vendor/25/Redhat.html

While AIX doesn't (286 total).

https://www.cvedetails.com/product/17/IBM-AIX.html?vendor_id=14

AIX shouldn't aspire to be Linux.

-- rant over --

On a milder note Sanket, please take my criticism for what it is:
honest criticism. I'm trying to provide feedback to help ensure that
everyone can receive the best software they can, with the properly
high standards of reliability, maintainability, and security that we
should expect from AIX and IBM. I want to make sure that any technical
decisions are well thought out at all layers.

I understand you're involved in packaging free software for AIX, and
I'm sure that's a thankless job. There's a reason why software must be
packaged, and I'm grateful that IBM assigns talented resources to take
time to try and distribute common tools from other platforms to
AIX. Sometimes they are useful, sometimes they come with
liabilities. I also understand this is a "free" service, unlike paid
software from IBM. However the results impact our paid, supported,
premium platform.

I'm trying to explain that AIX is properly different from other
operating systems. It's trusted to handle some of the largest
workloads on Earth at some very critical institutions. As a result,
the standards are high.

Thanks for your efforts.

------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/24/2022 1:18:00 PM
From: SANKET RATHI
Subject: RE: Rsync installing the AIX 6100-09-04-1441

Both the approaches have their pros and cons.
If everything is built statically then you don't know what all dependencies are there and if there is any security vulnerabilities in any of the dependency.
Also if there is an issue in one of the dependency then whole package has to be rebuilt.
The dynamic libraries and dependency is more universal solution and transparent. It is the method followed on other platform hence it is more compatible. 
Once you have setup dnf/yum then it is very easy to install any package from AIX toolbox or your local yum repo. 
It is similar to any rpm based Linux distro.

------------------------------
SANKET RATHI

Original Message:
Sent: Thu March 24, 2022 12:35 PM
From: Tom McGivern
Subject: Rsync installing the AIX 6100-09-04-1441

I prefer using aixtools.net.  The maintainer builds the packages into instalp format(thus shows up in lslpp output), AND, packages the dependancies as static modules.  Thus saving you from the dependency hell you're starting to slide into.

www.aixtools.net/index.php/rsync

he's also been fairly active on rootvg.net to discuss his packaging.

------------------------------
Tom McGivern

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------

Good idea. I've also seen Bull's Freeware (now closed) and Perlz (http://www.perzl.org/aix/).

The AIX Toolkit should have been published in BFF (installp) from the start. Managing a parallel package manager within an OS causes many kinds of conflicts, and IBM could have set an example in best practices for BFF packaging.

Dependency hell, parallel conflicting packages (ie: openssl), frequent vulnerabilities in non-essential software, and mandatory network connectivity dependencies are several reasons why I must tell my customers to not use AIX Toolkit packages any longer. That if they need a package, they need to get it from a supported source (ie: sudo from https://www.sudo.ws/getting/packages/ ).

------------------------------
========================
Russell Adams
https://adamssystems.nl/
========================
------------------------------

Original Message:
Sent: Thu March 24, 2022 12:35 PM
From: Tom McGivern
Subject: Rsync installing the AIX 6100-09-04-1441

I prefer using aixtools.net.  The maintainer builds the packages into instalp format(thus shows up in lslpp output), AND, packages the dependancies as static modules.  Thus saving you from the dependency hell you're starting to slide into.

www.aixtools.net/index.php/rsync

he's also been fairly active on rootvg.net to discuss his packaging.

------------------------------
Tom McGivern

Original Message:
Sent: Tue March 22, 2022 03:11 AM
From: mahesh Muvva
Subject: Rsync installing the AIX 6100-09-04-1441

rsync rpm trying to installing aix6100-09-04-1441 server but getting the error below 

rpm -ivh rsync-3.2.3-1.aix6.1.ppc.rpm
error: failed dependencies:
libcrypto.a(libcrypto.so.1.0.2) is needed by rsync-3.2.3-1
liblz4.a(liblz4.so.1) is needed by rsync-3.2.3-1
lz4 >= 1.9.2 is needed by rsync-3.2.3-1

the dependency pkgs also not available in google kindly help to install the rsync in AIX 6.1

------------------------------
mahesh Muvva
------------------------------